Description
Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.

An attacker can exploit this issue only if both of the following conditions are met:

* The application uses JsonTemplateLayout.
* The application logs a MapMessage, or logs an object directly (e.g., via Logger.info(Object), which wraps it in an ObjectMessage), where the message contains an attacker-controlled floating-point value.


Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Note: The fix released in version 2.25.4 did not cover all affected code paths. CVE-2026-49844 was assigned to the remaining issue, which concerns the MapMessage.asJson() serialization in Apache Log4j API and is fixed in versions 2.25.5 and 2.26.1.
Published: 2026-04-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the updated description, the flaw in Log4j’s JsonTemplateLayout occurs when serialization encounters non‑finite floating‑point values such as NaN, Infinity, or –Infinity. Because these values are not permitted by the JSON standard (RFC 8259), the layout emits malformed JSON. The malformed data can cause downstream log processing, indexing, or monitoring systems that receive these logs to reject the records or crash, corrupting audit trails and potentially leading to loss of logs or service interruption. In addition, the CVE note indicates that the fix in 2.25.4 does not cover all affected code paths; a related issue in MapMessage.asJson() serialization is addressed in later releases (2.25.5/2.26.1) under CVE-2026-49844.

Affected Systems

Affected are Apache Log4j JsonTemplateLayout releases up through 2.25.3. The vendor’s advisory recommends upgrading to 2.25.4 or a later release to apply the fix, which corrects the serialization logic for some but not all code paths that produce JSON output.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium‑severity vulnerability, while the EPSS value of less than 1% and absence from the CISA KEV catalog suggest a low probability of active exploitation. An attacker must meet two conditions to exploit the issue: the application must use JsonTemplateLayout and the attacker must be able to force the application to log a MapMessage or an object containing an attacker‑controlled non‑finite floating‑point value. The attack vector is therefore only viable in environments where user input is logged by JsonTemplateLayout; if those conditions are satisfied, the attacker could trigger failures or crashes in downstream log ingesters, potentially causing a denial of service. Note that while 2.25.4 addresses the majority of code paths, the remaining serialization flaw in MapMessage.asJson() requires 2.25.5 or later for full remediation.

Generated by OpenCVE AI on July 17, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Log4j JsonTemplateLayout to version 2.25.4 or later; note that this release does not address all affected code paths, so consider upgrading to 2.25.5 or 2.26.1 for full coverage.
  • Adjust the application’s logging configuration to reference the updated layout and remove any legacy references.
  • Sanitize or replace any NaN, Infinity, or –Infinity values in logged MapMessage or object payloads before the logging call.

Generated by OpenCVE AI on July 17, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w35j-pv5h-q9q9 Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout
History

Sat, 11 Jul 2026 05:45:00 +0000

Type Values Removed Values Added
Description Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage, or logs an object directly (e.g., via Logger.info(Object), which wraps it in an ObjectMessage), where the message contains an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. Note: The fix released in version 2.25.4 did not cover all affected code paths. CVE-2026-49844 was assigned to the remaining issue, which concerns the MapMessage.asJson() serialization in Apache Log4j API and is fixed in versions 2.25.5 and 2.26.1.

Fri, 24 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc1:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc2:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:beta3:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-241
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate


Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache log4j
Vendors & Products Apache log4j

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 10 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.
Title Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout
First Time appeared Apache
Apache log4j Layout Template Json
Weaknesses CWE-116
CPEs cpe:2.3:a:apache:log4j_layout_template_json:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache log4j Layout Template Json
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}


Subscriptions

Apache Log4j Log4j Layout Template Json
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-11T04:55:42.502Z

Reserved: 2026-03-28T19:23:37.127Z

Link: CVE-2026-34481

cve-icon Vulnrichment

Updated: 2026-04-10T16:18:20.891Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T16:16:31.663

Modified: 2026-06-17T10:39:07.233

Link: CVE-2026-34481

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-10T15:43:00Z

Links: CVE-2026-34481 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T03:30:04Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output

  • CWE-241

    Improper Handling of Unexpected Data Type